Razor Pages authorization conventions in ASP.NET Core

By Luke Latham

One way to control access in your Razor Pages app is to use authorization conventions at startup. These conventions allow you to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this topic automatically apply authorization filters to control access.

View or download sample code (how to download)

The sample app uses cookie authentication without ASP.NET Core Identity. The concepts and examples shown in this topic apply equally to apps that use ASP.NET Core Identity. To use ASP.NET Core Identity, follow the guidance in Introduction to Identity on ASP.NET Core.

Require authorization to access a page

Use the AuthorizePage convention via AddRazorPagesOptions to add an AuthorizeFilter to the page at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    })
    .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

To specify an authorization policy, use an AuthorizePage overload:

options.Conventions.AuthorizePage("/Contact", "AtLeast21");

Note

An AuthorizeFilter can be applied to a page model class with the [Authorize] filter attribute. For more information, see Authorize filter attribute.

Require authorization to access a folder of pages

Use the AuthorizeFolder convention via AddRazorPagesOptions to add an AuthorizeFilter to all of the pages in a folder at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    })
    .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

The specified path is the View Engine path, which is the Razor Pages root relative path.

To specify an authorization policy, use an AuthorizeFolder overload:

options.Conventions.AuthorizeFolder("/Private", "AtLeast21");

Require authorization to access an area page

Use the AuthorizeAreaPage convention via AddRazorPagesOptions to add an AuthorizeFilter to the area page at the specified path:

options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts");

The page name is the path of the file without an extension relative to the pages root directory for the specified area. For example, the page name for the file Areas/Identity/Pages/Manage/Accounts.cshtml is /Manage/Accounts.

To specify an authorization policy, use an AuthorizeAreaPage overload:

options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts", "AtLeast21");

Require authorization to access a folder of areas

Use the AuthorizeAreaFolder convention via AddRazorPagesOptions to add an AuthorizeFilter to all of the areas in a folder at the specified path:

options.Conventions.AuthorizeAreaFolder("Identity", "/Manage");

The folder path is the path of the folder relative to the pages root directory for the specified area. For example, the folder path for the files under Areas/Identity/Pages/Manage/ is /Manage.

To specify an authorization policy, use an AuthorizeAreaFolder overload:

options.Conventions.AuthorizeAreaFolder("Identity", "/Manage", "AtLeast21");

Allow anonymous access to a page

Use the AllowAnonymousToPage convention via AddRazorPagesOptions to add an AllowAnonymousFilter to a page at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    })
    .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

Allow anonymous access to a folder of pages

Use the AllowAnonymousToFolder convention via AddRazorPagesOptions to add an AllowAnonymousFilter to all of the pages in a folder at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    })
    .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

The specified path is the View Engine path, which is the Razor Pages root relative path.

Note on combining authorized and anonymous access

It's valid to specify that a folder of pages that require authorization and than specify that a page within that folder allows anonymous access:

// This works.
.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")

The reverse, however, isn't valid. You can't declare a folder of pages for anonymous access and then specify a page within that folder that requires authorization:

// This doesn't work!
.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private")

Requiring authorization on the Private page fails. When both the AllowAnonymousFilter and AuthorizeFilter are applied to the page, the AllowAnonymousFilter takes precedence and controls access.

Additional resources